Event Search

Under Pressure: The Modern Day Security Practitioner

December 29, 2016

By Katherine Teitler

Earlier this year, Forbes published its view of the “10 Most Stressful Jobs in 2016.” Admittedly, the security profession isn’t as physically dangerous as fighting fires or piloting an airplane, but security comes with its own unique set of threats that make day-to-day work incredibly stressful.

As evidence, just look at the hot debate between the FBI and Apple. The encrypted messaging app, Telegram, had admitted that members of the Islamic State may have used its services to coordinate the deadly attacks in Paris. Even if we take our eye off of these horrific events in the physical world, the dangers of losing data or worse, having it stolen, forces a huge amount of pressure on security practitioners. Organizations—and individuals—take data protection and privacy very seriously. As more and more of our lives are stored in myriad Internet-interconnected systems, the pressure ratchets up continually.

Organizations understand the criticality of protecting everything from product roadmaps to customer and employee data to finance information. These are the things that keep our companies in business, and they must be kept under lock and key at all times. Before the Internet, our world was smaller; it was easier to keep track of what information was kept where and to whom we supplied it in the first place. Nowadays, if the business is providing information to a lender, for instance, it’s highly unlikely that only the lender is going to be connected to that private information which it stores. Disparate information systems interface with one another inside corporate networks and with outside vendors and partners all over the world, sometimes in jurisdictions with conflicting rules, regulations, and practices. The infamous Target breach, as we all now know, was accomplished through an exploit of an HVAC supplier’s network credentials.

Pushing down on me, pressing down on you

As our world expands, so do the pressures. The CISO is at the helm of this movement; in many organizations still, the top-ranking security professional might be monitoring the SIEM one moment and reporting to the board the next. In organizations large or sophisticated enough that double duty isn’t necessary, the expectations are even greater. A CISO, who has probably grown up through technical ranks, is now required to take on an entire business acumen that may be unfamiliar territory. In addition, he or she will undoubtedly be the scapegoat when disaster strikes.

At the other end of the spectrum is the security engineer who is now expected to know every capability of and countermeasure to the business’s attackers, even when the attacker has more time and money on his side. Regardless of the seat you occupy, it’s unlikely that, as a security professional, you don’t feel the stress of defending your organization’s information and aren’t constantly on high alert about information security vulnerabilities that may exist in the organizations with which you interact, on both a professional and a personal level.

It’s the terror of knowing what this world is about

The burden of working in infosec is the (true) knowledge of the scope of the problem. Then there’s the responsibility of making sure your company isn’t a victim. Security teams must have eyes everywhere: on their networks, users, and partners; on the Web in forums and dark channels; on industry and technology vulnerabilities and exploits; and the list goes on. As a result, most security practitioners experience a ton of stress. Everyone manages stress differently, but here are five tips to increase focus and lessen the stress:

Prioritize

If you leave it to anyone else in the business, everything is a top priority. By definition, “priority” means “something that is more important than other things and needs to be done or dealt with first.”[i] Since it’s impossible to do everything first, sit down and determine what really needs to be done first. Then second and third and so on. While making the list doesn’t mean items on the list evaporate, it helps to see what you’re going to work on first instead of thinking, “there are 1,000 things to and I don’t have time to do them all!” Break down your “to-do” list into manageable chunks and work through the top items first, leaving the less pressing items for later. Reduce the amount of time spent on unproductive activities to reduce the demands on your time. Once you determine where your time should be spent and begin to concentrate on the most important items, you’ll likely find that you are more able to accomplish focused work. “When you know what's important in your milieu and can drop those insights cold, you will not only sleep better, but you will find better ways of communicating those needs when the time comes,” says Darrin Reynolds of Reynolds Privacy.

Filter out the noise

Many security practitioners feel they have to be on top of everything all at once—security-related news, industry-related conversations, what’s happening at any one of the ten security conferences that might be taking place during any given week, responding to emails, participating in Twitter chats/podcasts/press requests, and so on. All of these activities are, of course, in addition to what’s required for work. Michael Santarcangelo of Security Catalyst advises, “Crowd out distractions; avoid the ‘risk catnip’” that’s inherent in the security field. “As technologists, many CISOs are challenged by the appeal of ‘blinking lights’ and the newest tech discussions,” says Reynolds. He continues, “the ability to properly distinguish between distraction and true disruption will go a long way to reducing the (often self-imposed) anxiety of our positions.”

When you have a task that needs completion, close down email. Log out of Twitter. Put your phone on silent. I promise, messages will still be there when you’re finished with the task at hand, and what you might find is that some of the noise, some of the distractions, are really not worth your time and attention anyway.

Communicate clearly

One thing that happens when we get stressed is that we rush through conversations or emails. Even when the person at the other end of the communication needs information from us to accomplish whatever is at the top of his or her priority list, if the topic isn’t of the utmost importance to us (and sometimes even when it is), there’s a desire to move that conversation along. The problem with this, though, is that clipped communication often leads to confusion or misunderstanding, which then means we have to step back and re-do whatever we were trying to usher off our plate in the first place.

Instead of trying to sideline the conversation/exchange, take a deep breath and respond thoughtfully. An extra few minutes on the front end of the communication will reduce the amount of time spent going back and rehashing conversations (which only creates more stress and frustration).

Plan for incidents

“The event that makes our stress dial ‘go to eleven’ is a security incident,” says Reynolds. In this day and age of “everyone’s a target” and “it’s not if, but when,” security teams always have incident handling in the back of their minds. You can reduce the stress of potentially dealing with an incident if your team has prepared and practiced your incident response (IR). Even though, as Reynolds warns, “much of incident response is like leading a dance as you learn it,” due to the fact that every breach is different, following a well-thought out process which everyone involved knows and understands will alleviate added stress. Plan in advance who is involved, when they are involved, and what their role and responsibilities are when the time comes. Have an up-to-date list of names on speed dial. The list should include HR, legal, and communications teams, and possibly outside IR consultants and law enforcement contacts with whom you’ve already forged a relationship (During an incident isn’t the time to create new relationships; that will only add to the stress). You can make your own life easier—and improve IR—by planning and practicing before an incident occurs.

Get a life

Often security practitioners forget that they are so much more than their job. Infosec seems to be one of the most all-encompassing fields I’ve come across, but it’s important to “make space to process and recover,” says Santarcangelo. “Stop glorifying ‘busy,’” he adds, and take time to care for yourself. Go for a run, watch a movie, paint, take a (GASP!) vacation! Research shows that regularly engaging in non-work-related activities lowers stress, contributes to good health, and makes people generally happier. Disconnect, too. The idea of “always on” communication is a relatively new phenomenon, and constantly checking your device for the latest updates or information not only increases stress (because security is a stressful business), but it can also harm relationships—and positive relationships are a well-known stress reducer.

You don’t “win” if you’re the busiest person in your office. You do win, however, if you are highly effective at your job. You’ll be more focused, clear-headed, and better able to handle problems, issues, and tasks if you take time to refresh and renew your focus.

Change our way of caring about ourselves

Information security is a stressful job, there’s no two ways about it. Practitioners can make it easier on themselves, however, with a little concerted effort. Some of it comes down to advanced planning; other parts depend on relinquishing a modicum of control. It can be freeing to stop doing things that add little value to our lives. Without a doubt, stepping back to figure out your priorities, clear away distractions, and make time to recover and rejuvenate will help you drive down stress and be able to focus on the things that will make you a more efficient, effective, and successful security practitioner.

MISTI Newsletters

Quick Links

MIS Training Institute is registered with the National Association of State Boards of Accountancy (NASBA) as a sponsor of continuing professional education on the National Registry of CPE Sponsors. State boards of accountancy have final authority on the acceptance of individual courses for CPE credit. Complaints regarding registered sponsors may be submitted to the National Registry of CPE Sponsors through its website: www.nasbaregistry.org.